In April, Facebook launched an ad campaign aimed at tamping down privacy concerns that have mushroomed since the 2016 election. A few weeks before the commercial made rounds, CEO Mark Zuckerberg was called before Congress to explain his company’s position in the wake of the revelation that the data of tens of millions of Facebook users was harvested by Cambridge Analytica, a data firm hired by the Trump campaign. The social media giant’s stock plummeted. “From now on, Facebook will do more to keep you safe and protect your privacy,” the commercial vaguely promised over images of smiling families. Among the unconvinced were the multiple agencies on both sides of the Atlantic who have been investigating the tech giant, one of which, the British Information Commissioner’s Office, has announced plans to slap Facebook with a preliminary fine of $500,000 for failing to properly guard its users’ personal information.
“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act,” said Information Commissioner Elizabeth Denham. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
In addition to the fine levied on Facebook, the ICO’s investigation has led to criminal prosecution of Cambridge Analytica’s parent company, SCL Elections, which filed for bankruptcy in May.
Months ago, I reported Facebook and Cambridge Analytica to the UK authorities. Based on that evidence, Facebook is today being issued with the maximum fine allowed under British law. Cambridge Analytica, including possibly its directors, will be criminally prosecuted. pic.twitter.com/td90aL9zVR
— Christopher Wylie 🏳️🌈 (@chrisinsilico) July 10, 2018
“Most of us have some understanding of the behavioural targeting that commercial entities have used for quite some time, to sell us holidays, to sell us trainers, to be able to target us and follow us around the web,” Denham said. “But very few people have an awareness of how they can be micro-targeted, persuaded or nudged in a democratic campaign, in an election or a referendum. This is a time when people are sitting up and saying ‘we need a pause here, and we need to be sure we are comfortable with the way personal data is used in our democratic process’.”
News of the data breach, which was leaked by former Cambridge Analytica employee Christopher Wylie, came as Facebook was already under intense scrutiny for allowing its platform to be used to spread targeted propaganda to impact both the 2016 presidential campaign and the June 2016 vote on whether England should remain in the European Union, the latter of which spurred the ICO’s investigation. “A significant finding of the ICO investigation is the conclusion that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign,” Denham added. “Whilst these concerns about Facebook’s advertising model exist generally in relation to its commercial use, they are heightened when these tools are used for political campaigning.”
Though $500,000 is pocket change for Facebook, which earns as much every five minutes, it was the maximum fine permitted under the UK’s Data Protection Act, which was still in effect when the breach occurred. Under the European General Data Protection, which took effect in May, the fine could have been as high as $1.9 billion.
The financial toll could be more extreme in the United States, where Facebook is currently under investigation by the Federal Trade Commission. The crux of the FTC’s investigation is whether the Cambridge Analytica data breach violated a 2011 settlement that required Facebook to notify users if their data is shared beyond what the user stipulates in their privacy settings. If Facebook is determined to have violated the agreement, the FTC could fine them over $40,000 for each individual affected. As the Washington Post points out, this could encompass both the 71 million Americans whose data was collected by Cambridge Analytica and the 110 million American users whose data was compromised by “malicious actors” who used an automated program to harvest information. This means that, in theory, the FTC could fine Facebook around $7.5 trillion.
David Vlaeck, a former FTC official who presided over the 2011 settlement, told the Post that the actual fine is likely to be closer to $1 billion, but the scope of the investigation and the implications of the data breach would give the FTC a massive amount of leverage should they attempt to regulate the social media network. The Department of Justice, FBI and SEC have also launched investigations into various aspects of Facebook’s relationship with Cambridge Analytica.
The investigations are necessary and the ICO’s report is encouraging because, despite Zuckerberg’s testimony or the company’s ad copy, Facebook cannot be trusted to remedy the problem on its own. Though Zuckerberg told Congress in April that Facebook shut down apps that gathered the personal data of users, according to CNN, the company is now saying that an extension was given to dozens of developers, one of which was a Russian Internet company connected to the Kremlin. “In the last 6 months we’ve learned that Facebook had few controls in place to control the collection and use of user data by third parties,” Senator Mark Warner told CNN in a statement. “Now we learn that the largest technology company in Russia, whose executives boast close ties to Vladimir Putin, had potentially hundreds of apps integrated with Facebook, collecting user data.”